Very good idea ! I will try that this week and will let you know if it
works !
Thank you !
Le dim. 7 oct. 2018 à 00:17, bls s <bls3...@outlook.com> a écrit :
> I just did a quick test using my iPhone, and it appears to work just fine.
> Using 2 strongSwan profiles, each profile has a different VPN cert, with
> different altNames in the cert. By changing the Remote ID on iOS I was able
> to authenticate with each of the 2 profiles.
>
>
>
> *From: *bls s <bls3...@outlook.com>
> *Sent: *Friday, October 5, 2018 6:54 AM
> *To: *Matthieu Nantern <matthieu.nant...@margo.com>
> *Cc: *users@lists.strongswan.org
> *Subject: *Re: [strongSwan] Ikev2 wildcards with MacOs clients
>
>
> I haven't looked into this in detail, but could you use different VPN
> certs for each subnet? Each VPN cert would be in a different conn section,
> and they would have different altNames (SAN). If I understand the MacOS VPN
> config correctly (looks a lot like iOS), when certs are installed onto
> MacOS, you can specify the Remote ID, which is the SAN that matches that of
> the VPN cert.
>
> From: Matthieu Nantern <matthieu.nant...@margo.com>
> Sent: Thursday, October 4, 2018 11:31 PM
> To: bls3...@outlook.com
> Cc: users@lists.strongswan.org
> Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
>
> We are using certificates (one for each client device) but I have 2
> networks: n1 and n2. And I want that some users can access n1 and others n1
> + n2.
>
>
> I wanted to make the distinction by using a conf like that:
>
>
> conn alice
> leftsubnet=10.1.0.10/32
> right=%any
> rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*"
> auto=add
>
> conn venus
> leftsubnet=10.1.0.20/32
> right=%any
> rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*"
> auto=add
> But unfortunately with MacOs client I don't have the Distinguished Names
> but only the FQDN:
>
>
> ikev2-pubkey[1216]: ESTABLISHED 2 minutes ago, 10.8.1.113[vpn.test.net
> ]...213.41.12.162[firstname.lastn...@test.com]
> ikev2-pubkey{2102}: INSTALLED, TUNNEL, reqid 325, ESP in UDP SPIs:
> c4d64307_i 0c4df008_o
>
>
> And if you compare that with the StrongSwan Android client:
>
>
> ikev2-pubkey[1217]: ESTABLISHED 4 seconds ago,
> 10.8.1.113[vpn.test.net]...213.41.12.162[C=FR,
> O=Test, OU=Prod, CN=firstname.lastn...@test.com]
> ikev2-pubkey{2103}: INSTALLED, TUNNEL, reqid 326, ESP in UDP SPIs:
> c3b37b06_i be7247e0_o
>
>
> So I cannot route my users according to their certificates and I was
> wondering what can I do ?
>
>
>
> Le jeu. 4 oct. 2018 à 19:42, bls s <bls3...@outlook.com> a écrit :
>
> Someone will likely explain why using certificates sucks, but if you use
> certificates (one for each client device) you'll have fine-grained user
> access control (by revoking/deleting certs), and you don't need to list all
> the enabled certs anywhere in your config file.
> From: Users <users-boun...@lists.strongswan.org> on behalf of Matthieu
> Nantern <matthieu.nant...@margo.com>
> Sent: Thursday, October 4, 2018 8:41 AM
> To: users@lists.strongswan.org
> Subject: Re: [strongSwan] Ikev2 wildcards with MacOs clients
>
> Is it possible to have multiple email address in the “rightid“ parameter ?
> Maybe I can list all authorized users for each server instead of relying on
> Distinguished Names ?
>
>
>
> Le mer. 3 oct. 2018 à 08:42, Matthieu Nantern <matthieu.nant...@margo.com>
> a écrit :
>
> Hi !
>
>
> I installed StrongSwan to allow my users (mainly MacOs X clients) to use
> the native ikev2 authentication. Everything is working fine.
>
>
> Now I would like to implement something like that :
> https://www.strongswan.org/testing/testresults/ikev2/wildcards/index.html
> ; allowing some clients to access some network and not the others.
>
>
> Unfortunately I didn't see (or understand) the issue on that page (
> https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile) :
>
>
> ASN.1 Distinguished Names can't be used as identities because the client
> currently sends them as identities of type FQDN.
>
>
> As a result when I put rightid in my configuration it's not working
> because MacOsX is only sending a fqdn (an email address in my case) and not
> the Distinguished Name.
>
>
>
> My question is how can allow (or deny) some network to some user?
>
>
>
> I have a file that associates email address to "role" but I don't know how
> to use it. Maybe a plugin?
>
>
> Any ideas/links?
>
>
> Thank you!
>
> --
>
> Matthieu Nantern
>
>
> --
>
> Matthieu Nantern
> SRE, Margo Bank
> +33683148506
>
>
> --
>
> Matthieu Nantern
> SRE, Margo Bank
> +33683148506
>
--
Matthieu Nantern
SRE, Margo Bank
+33683148506
